Error in OAuth discovery: Error: self-signed certificate
Hi. I hope no one asked this before - I used google and searched in here, but couldn't find much.
I recently tried to setup Authentik to act as an SSO provider for Immich (internally, in my own network). Authentik and Immich are both run through docker, but on separate VMs and subnets.
Filled out everything according to https://docs.goauthentik.io/integrations/services/immich/ and https://immich.app/docs/administration/oauth/.
When I try to login, however, I get an error message saying
Error in OAuth discovery: Error: self-signed certificate (Immich Server Error). Since nobody else on the internet seems to be having this problem, I'm guessing it's something seriously stupid that I forgot to do or add, but for the life of me I can't figure out what. The relevant Docker log entry is:
Docker-compose & .env are attached. For Authentik, the docker-compose file is the default one. Configurations of both immich and authentik are attached (with just the secret removed)
10 Replies
:wave: Hey @Ouguiya,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJAChecklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like
fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.GitHub
immich-app immich · Discussions
Explore the GitHub Discussions forum for immich-app immich. Discuss code, ask questions & collaborate with the developer community.
FAQ | Immich
User
GitHub
Issues · immich-app/immich
High performance self-hosted photo and video management solution. - Issues · immich-app/immich
Like it says in the error, it's getting a self-signed (and thus untrusted) certificate
But...from whom? Authentik? There was no other certificate to choose from 😐 Even the official guide at https://immich.app/docs/administration/oauth/ in the Authentik screenshot shows that "authentik Self-signed Certificate" should be used.
Yes, from Authentik. The signing key mentioned in those docs is a different thing
This is about the cert used for the HTTPS connection
Ah, I see...so what would I need to do to make it trusted, then? (sorry, still a bit new to the whole homelab thing in general and PKI stuff especially)
Ideally, set it up with a domain and a real certificate from Let's Encrypt
Thank you bo0tzz. I spent some time setting it up with a reverse proxy (nginx) and it does indeed work! Note to anyone stumbling on this in the future: Unless you have your own PKI running, you can't use authentik/oauth "internally", you need to have an actual domain and a proper, trusted certificate on it. Set the issuer URL accordingly, i.e.
https://<your.domain.url>/applications/o/immich and then it should work 👍*you can use authentik internally, you just need a domain with a cert.
This thread has been closed. To re-open, use the button below.